Zoom’s Auto-Update Feature Exposes Mac Users to Security Flaw: Report

Security researcher Patrick Wardle recently discovered three security vulnerabilities in the popular video conferencing app Zoom’s auto-update feature that put Mac users at risk of remote attacks (via WIRED).

Zoom rolled out its auto-update feature on both Mac and Windows in November of last year. On Mac, users need to enter their system password while enabling the feature. Once auto-update is set up, Zoom automatically downloads and installs the latest software patches when it launches.

Wardle presented these weaknesses at the DEF CON cybersecurity conference in Las Vegas on Friday. Zoom has already fixed two of these vulnerabilities.

One of the now-fixed vulnerabilities had to do with the auto-updater’s cryptographic signature check, while the other could be used to trick Zoom into installing an older, more vulnerable version of the app that could be exploited to gain full control of the victim’s Mac.

“We have already resolved these security issues,” a Zoom spokesperson told WIRED. “As always, we recommend users keep up to date with the latest version of Zoom … Zoom also offers automatic updates to help users stay on the latest version.”

The third vulnerability Wardle discovered lies within the Zoom installer itself and has not been fixed as of writing. If successfully exploited, this security flaw can allow an attacker to take over the Zoom installer’s root access to the victim device, giving them full control over it.

“The main reason I looked at this is that Zoom is running on my own computer,” Wardle said.

“There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.”

In order to exploit any of these flaws, an attacker would need to already have access to your Mac. That said, the vulnerabilities are pertinent and need to be patched nonetheless.

Zoom is no stranger to security vulnerabilities. At one point, Zoom had a security flaw that allowed websites to switch Mac users’ webcams on without permission.

As the app grew in popularity during the pandemic, threat actors started targeting it as well and the company had to up their security game accordingly. Even Apple has stepped in and previously helped Zoom patch vulnerabilities on macOS.